Arr0way
- What is Naabu?
- Naabu vs Nmap
- What does Naabu do:
- Download & Install Naabu
- Naabu Example Command Options
- Naabu Input File, Fast Scan + Verify Port 21
- Naabu Fast Scan, Verify, Nmap Services
- Document Changelog
The following Naabu cheat sheet aims to explain what Naabu is, what it does, and how to install it and use it by providing Nabuu command examples in a cheat sheet style documentation format.
What is Naabu?
Naabu is a simple port scanner written in Golang by Project Discovery, with a goal of being simple and fast.
Naabu vs Nmap
Why use Naabu over Nmap, the primary reason for me personally is the automatic IP deduplication. Meaning, when performing subdomain or domain enumeration of a target organisation, and you feed Naabu an input file of domain or subdomain it will resolve them and only scan unique IP addresses, so you are not wasting time and resources scanning the same target IP address twice.
What does Naabu do:
- Host discovery
- Automatic IP Deduplication for DNS port scan
- Port discovery / enumeration
- SYN/CONNECT/UDP probe based scanning
- Passive port scanning via Shodan
- Performs IPv4/IPv6 port scanning
- Can be configured to call Nmap to run NSE scripts post port detection
- Multiple input support - STDIN/HOST/IP/CIDR/ASN
- Multiple output format support - JSON/TXT/STDOUT
Download & Install Naabu
You can obtain Naabu via the Project Discovery Github.
Naabu Linux Install
go install -v github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
Kali
Kali has a package for Naabu (caveat, it may not be the latest version):
sudo apt install naabu
Naabu File Input Options
Naabu input options, allowing Naabu to read and proccess data from input files.
| Command | Description |
|---|---|
-host string[] |
hosts to scan ports for (comma-separated) |
-list, -l string |
list of hosts to scan ports (file) |
-exclude-hosts, -eh string |
hosts to exclude from the scan (comma-separated) |
-exclude-file, -ef string |
list of hosts to exclude from scan (file) |
Naabu Port Options
| Command | Description |
|---|---|
-port, -p string |
ports to scan (80,443, 100-200 |
-top-ports, -tp string |
top ports to scan (default 100) |
-exclude-ports, -ep string |
ports to exclude from scan (comma-separated) |
-ports-file, -pf string |
list of ports to exclude from scan (file) |
-exclude-cdn, -ec |
skip full port scans for CDN's (only checks for 80,443) |
Nabu Rate Limiting
| Command | Description |
|---|---|
-c int |
general internal worker threads (default 25) |
-rate int |
packets to send per second (default 1000) |
Naabu Scan Output Options
| Command | Description |
|---|---|
-o, -output string |
file to write output to (optional) |
-json |
write output in JSON lines format |
-csv |
write output in csv format |
Naabu Configuration Options
| Command | Description |
|---|---|
-scan-all-ips, -sa |
scan all the IP's associated with DNS record |
-scan-type, -s string |
type of port scan (SYN/CONNECT) (default "s") |
-source-ip string |
source ip |
-interface-list, -il |
list available interfaces and public ip |
-interface, -i string |
network Interface to use for port scan |
-nmap |
invoke nmap scan on targets (nmap must be installed) - Deprecated |
-nmap-cli string |
nmap command to run on found results (example: -nmap-cli 'nmap -sV') |
-r string |
list of custom resolver dns resolution (comma separated or from file) |
-proxy string |
socks5 proxy |
-resume |
resume scan using resume.cfg |
-stream |
stream mode (disables resume, nmap, verify, retries, shuffling, etc) |
Naabu Optimization Options
| Command | Description |
|---|---|
-retries int |
number of retries for the port scan (default 3) |
-timeout int |
millisecond to wait before timing out (default 1000) |
-warm-up-time int |
time in seconds between scan phases (default 2) |
-ping |
ping probes for verification of host |
-verify |
validate the ports again with TCP verification |
Naabu Debug Options
| Command | Description |
|---|---|
-debug |
display debugging information |
-verbose, -v |
display verbose output |
-no-color, -nc |
disable colors in CLI output |
-silent |
display only results in output |
-version |
display version of naabu |
-stats |
display stats of the running scan |
-si, -stats-interval |
int number of seconds to wait between showing a statistics update (default 5) |
Naabu Example Command Options
The following are real world examples of Naabu commands.
Naabu Scan All Ports
naabu -p 0-65535Naabu Input File, Fast Scan + Verify Port 21
cat 21.txt | ~/go/bin/naabu -verify -ec -rate 9000 -retries 1 -p 21 -warm-up-time 0 -c 50 -silent -o ftp.txtNaabu Fast Scan, Verify, Nmap Services
Naabu input file, scan all ports, output to text, fast scan, verify open ports, use Nmap to perform service enumeration
naabu -list subdomains.txt -verify -ec -rate 9000 -retries 1 -p 0-65535 -warm-up-time 0 -c 50 -nmap-cli "nmap -sV -oG nmap-naabu-out" -silent -o naabu-full.txtIf you found this Naabu cheat sheet useful, please share it below.
Document Changelog
- Last Updated: 12/02/2024 (12th of February 2024)
- Author: Arr0way
- Notes: Checked syntax was current for latest version of Naabu.